Privacy Policy

Last updated: March 2026  ·  Effective: March 2026

Oyvoda operates an AI-powered guest experience platform for short-term rental operators and boutique hotels. This Privacy Policy explains how we collect, use, store, and protect information when you use our platform as an operator, and how we handle guest data on your behalf.

1. Who We Are

Oyvoda is a software platform that processes guest communications and property management data on behalf of STR operators. Oyvoda acts as a data processor for guest data and a data controller for platform account data.

• Platform: oyvoda.com
• Privacy contact: privacy@oyvoda.com
• Data requests: privacy@oyvoda.com (30-day response SLA)

2. Information We Collect

Operator Account Data

• Name, email address, business name
• PMS credentials (stored encrypted, never logged in plaintext)
• Property details, house rules, operator preferences
• Billing information (processed by Stripe — not stored by Oyvoda)

Guest Data (Processed on Behalf of Operators)

• Guest name, phone number, email address from PMS booking records
• Reservation dates and property assignment
• Message content from guest conversations via RCS/SMS
• Escalation notes and incident records created by operators

Platform Usage Data

• API request logs — path, method, status code, latency (no message bodies)
• Dashboard usage patterns for product improvement
• Error logs for debugging, stripped of PII before storage

3. How We Use Data

• Service delivery: Processing guest messages, generating AI responses, routing escalations, syncing PMS data
• Platform improvement: Anonymized, aggregated usage patterns only — individual operator data is never used in cross-operator model training without explicit consent
• Security and monitoring: Detecting abuse, preventing prompt injection, maintaining SLO compliance
• Communications: Service notifications, product updates — operators can opt out at any time

4. Data Storage and Retention

All data is stored in Supabase (PostgreSQL) hosted on AWS us-east-1. Data is isolated at the company_id level — no operator can access another operator's data.

• Guest conversation records: 90 days after checkout, then permanently deleted
• Escalation and incident records: 12 months
• API request logs: 30 days
• Operator account data: duration of account plus 30 days post-cancellation
• Encrypted backups: 7-day rolling retention

5. Data Sharing

We do not sell, rent, or share personal data for advertising purposes. Data is shared only with:

• Groq: LLM inference provider. Message content sent for AI processing under their enterprise DPA with zero retention on inference infrastructure.
• Supabase: Database hosting, SOC 2 Type II certified.
• Railway: Application hosting. Data does not persist beyond the running process.
• Cloudflare: CDN and DDoS protection. Traffic metadata only — no message content.
• PMS providers (Escapia, Guesty, Track): Read-only API access to booking data you explicitly authorize.

6. Guest Data and Operator Responsibility

Operators are responsible for obtaining appropriate consent from guests to process their communications through Oyvoda. Connecting a PMS and deploying the Oyvoda concierge constitutes a representation that the operator has the right to process guest communications through our platform. Oyvoda provides standard guest consent language for inclusion in welcome messages on request.

7. Security

Core security controls include SSL/TLS encryption in transit, AES-256 encryption at rest, a hard-coded MCP trust registry that eliminates prompt injection by architecture, a sanitizer layer before every LLM call, governance validation before every action, and company-scoped data isolation at the query level. See our Security & Compliance page for full technical detail.

8. Your Rights

Depending on your location, you may have rights to access, correct, delete, or export your data.

• Operators: Email privacy@oyvoda.com — 30-day response, 72-hour response for urgent deletion
• Guests: Contact the operator whose property you stayed at. Operators can export and delete guest data from the operator dashboard.

9. CCPA (California Residents)

California residents have the right to know what personal information is collected, request deletion, and opt out of sale. We do not sell personal information. Submit CCPA requests to privacy@oyvoda.com.

10. GDPR (EEA/UK Residents)

For EEA and UK residents, Oyvoda acts as data processor for guest data and data controller for operator account data. Lawful basis for processing: contractual necessity. A Data Processing Agreement (DPA) is available on request for operators who require it — contact privacy@oyvoda.com.

11. Cookies

The Oyvoda dashboard uses session cookies for authentication only. No advertising or tracking cookies. No third-party analytics scripts are loaded.

12. Policy Changes

Material changes will be communicated by email with at least 14 days notice. Continued use after the effective date constitutes acceptance.